Business Users Targeted by HawkEye Keylogger Malware

HawkEye keylogger campaigns observed in April and May 2019 focused on targeting business users, IBM X-Force security researchers say.

Under active development since at least 2013, the HawkEye keylogger has been marketed on dark web forums for the past few years for its ability to steal and exfiltrate sensitive information from various applications.

HawkEye Reborn v9, the latest variant of the malware, has been around for the past several months, being advertised as an "Advance Monitoring Solution." The malware was sold to a new owner in December 2018 and is available under a licensing model, with updates promised for specific periods of time.

In addition to stealing sensitive information, HawkEye can download additional malware onto the infected machines, which allows its operators to take advantage of the created botnets for additional monetization.

Campaigns observed in April 2019 were targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others, IBM reports.

The keylogger is being distributed via malicious spam emails, now with a clear focus on business users, likely in an attempt to make higher profits, compared to attacking individual users.

“Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm,” IBM notes.

The malicious emails observed in these attacks pose as messages coming from a large bank in Spain (or fake emails from legitimate companies or from other banks), while the infection process leverages various executable files that use malicious PowerShell scripts.

IBM noticed that, while the targeted users are located all around the world, the IP addresses originating the malspam came from Estonia in this campaign. However, these details change with every campaign, especially given that HawkEye can be operated by various actors, since it is a commercial offering.

“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.